BaseCTF2024

BaseCTF2024[Week1]

Reverse

You are good at IDA

Part1

打开IDA按F5，得到第一部分

Part2

根据以上提示，shift+F2:

Second字符点击进入，按“X”交叉引入找到对应函数，

得到第二部分flag，按“R”转换为字符：

Part3

第三部分flag在一个Interesting的函数中：

flag:

BaseCTF{Y0u_4Re_900d_47_id4}

UPX mini

拖DIE中查壳儿，4.01版本

upx -d UPXmini.exe

点击base64函数，发现没换表，有密文，直接出flag

附一个标准base64：

_BYTE *__fastcall base64_encode(char *a1)
{
  int v1; // eax
  _BYTE *v2; // rax
  char v4[72]; // [rsp+20h] [rbp-70h] BYREF
  _BYTE *v5; // [rsp+68h] [rbp-28h]
  int v6; // [rsp+74h] [rbp-1Ch]
  char *Str; // [rsp+78h] [rbp-18h]
  int v8; // [rsp+80h] [rbp-10h]
  int v9; // [rsp+84h] [rbp-Ch]
  int v10; // [rsp+88h] [rbp-8h]
  int v11; // [rsp+8Ch] [rbp-4h]

  Str = a1;
  strcpy(v4, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
  v6 = strlen(a1);
  v1 = v6 % 3;
  if ( v6 % 3 == 1 )
  {
    v10 = 1;
    v11 = 4 * (v6 / 3 + 1);
  }
  else if ( v1 == 2 )
  {
    v10 = 2;
    v11 = 4 * (v6 / 3 + 1);
  }
  else if ( !v1 )
  {
    v10 = 0;
    v11 = 4 * (v6 / 3);
  }
  v5 = malloc(v11 + 1);
  v9 = 0;
  v8 = 0;
  while ( v8 < v6 - v10 )
  {
    v5[v9] = v4[(int)(unsigned __int8)Str[v8] >> 2];
    v5[v9 + 1] = v4[((int)(unsigned __int8)Str[v8 + 1] >> 4) | (16 * Str[v8]) & 0x30];
    v5[v9 + 2] = v4[((int)(unsigned __int8)Str[v8 + 2] >> 6) | (4 * Str[v8 + 1]) & 0x3C];
    v5[v9 + 3] = v4[Str[v8 + 2] & 0x3F];
    v8 += 3;
    v9 += 4;
  }
  if ( v10 == 1 )
  {
    v5[v11 - 4] = v4[(int)(unsigned __int8)Str[v6 - 1] >> 2];
    v5[v11 - 3] = v4[(16 * Str[v6 - 1]) & 0x30];
    v2 = &v5[v11 - 1];
    *v2 = 61;
    v5[v11 - 2] = *v2;
  }
  else if ( v10 == 2 )
  {
    v5[v11 - 4] = v4[(int)(unsigned __int8)Str[v6 - 2] >> 2];
    v5[v11 - 3] = v4[((int)(unsigned __int8)Str[v6 - 1] >> 4) | (16 * Str[v6 - 2]) & 0x30];
    v5[v11 - 2] = v4[(4 * Str[v6 - 1]) & 0x3C];
    v5[v11 - 1] = 61;
  }
  v5[v11] = 0;
  return v5;
}

Ez Xor

无壳

看逻辑，判断输入字符为28位，处理v4(假设为密钥”Xor”)，加密输入字符，与密文比较——

Set item type 改数据类型

异或串1由i异或key循环产生28位

flag与 逆转的异或串1 异或产生字符串Str

最后Str与给的密文比较

逻辑也简单，写脚本：

key = [0x58,0x6F,0x72] #Xor转16进制
flag = ""
box = []
b = ""
Str = [
    0x01, 0x09, 0x05, 0x25, 0x26, 0x2D, 0x0B, 0x1D, 
    0x24, 0x7A, 0x31, 0x20, 0x1E, 0x49, 0x3D, 0x67, 
    0x4D, 0x50, 0x08, 0x25, 0x2E, 0x6E, 0x05, 0x34, 
    0x22, 0x40, 0x3b, 0x25, ]

for i in range(0,28):
   flag +=chr(i ^ enflag[27-i] ^ key[i%3] )

print(flag[::-1])
# BaseCTF{X0R_I5_345Y_F0r_y0U} 

ez_maze

wa！迷宫！

出来啦！sssssssddddwwwddsssssssdddsssddddd

BasePlus

看题目，看main函数：

encode：看着像base64，但是Plus！细细看，不只是换了表

__int64 __fastcall Encode(const char *a1, __int64 a2)
{
  int v3; // r10d
  char *v4; // r9
  __int64 v5; // r8
  __int64 v6; // rdi
  int v7; // ebp
  __int64 v8; // rax
  __int64 result; // rax
  __int64 v10; // rax
  __int64 v11; // rcx
  bool v12; // r13
  bool v13; // r12
  char v14; // [rsp+8h] [rbp-40h]
  __int16 v15; // [rsp+9h] [rbp-3Fh]
  unsigned __int8 v16; // [rsp+Bh] [rbp-3Dh]
  char v17[60]; // [rsp+Ch] [rbp-3Ch] BYREF

  v3 = strlen(a1);
  if ( v3 <= 0 )
  {
    LODWORD(result) = 0;
  }
  else
  {
    v4 = v17;
    v5 = 4i64;
    v6 = 0i64;
    v7 = 0;
    do
    {
      v15 = 0;
      v16 = 0;
      if ( v3 > v7 )
      {
        v10 = v7 + 1;
        v11 = 1i64;
        do
        {
          v7 = v10;
          *(&v14 + v11) = a1[v10 - 1];
          v12 = (int)v11 <= 2;
          v13 = v3 > (int)v10++;
          ++v11;
        }
        while ( v13 && v12 );
      }
      v17[0] = Secret[(unsigned __int8)v15 >> 2];
      v17[1] = Secret[(HIBYTE(v15) >> 4) | (16 * (_BYTE)v15) & 0x30];
      v17[2] = Secret[(v16 >> 6) | (4 * HIBYTE(v15)) & 0x3C];
      v17[3] = Secret[v16 & 0x3F];
      v8 = v6;
      do
      {
        *(_BYTE *)(a2 + v8) = v4[v8] ^ 0xE;
        ++v8;
      }
      while ( v8 != v5 );
      LODWORD(result) = v5;
      v6 += 4i64;
      v4 -= 4;
      v5 += 4i64;
    }
    while ( v3 > v7 );
  }
  result = (int)result;
  *(_BYTE *)(a2 + (int)result) = 0;
  return result;
}

果然结果异或0xE